Re: some reality about iptables, please
On Tue, 2003-08-26 at 21:12, Bret Comstock Waldow wrote:
> I can find all the sites and advice I want about how to form iptables
> rules, but I can't find any decent discussion of how to enable the damn
> things.
>
> I get the idea that an iptables firewall is set up by actually running a
> bunch of "iptables -options" lines, presumably from a script.
>
> But where do I put the script(s)?
>
> There's a mechanism set up in /etc/default/iptables. I quote from the
> file:
>
> # A: I was pretty much hounded into providing it. I do not like it.
> # Don't use it. Use /etc/network/interfaces, use /etc/network/*.d/
> # scripts use /etc/ppp/ip-*.d/ script. Create your own custom
> # init.d script -- no need to even name it iptables. Use ferm,
> # ipmasq, ipmenu, guarddog, firestarter, or one of the many other
> # firewall configuration tools available. Do not use the init.d
> # script.
> ...
> # Q: How do I get started?
> # A: (Did I mention "do not use it" already? Oh well.)
>
> For crissake! Can anyone point me at some sensible discussion of how
> the hell to go about putting firewall rules in place? I've got a
> laptop, usually on a cable modem, but sometimes using dial-up.
>
> I know generally about the /etc/init.d/rcX.d runlevel mechanism. Now I
> need a sensible discussion of when and HOW to run what sorts of
> iptables-rules-containing scripts so I can figure out how to protect my
> system. Please don't just tell me about "runlevels" - I know they exist
> already.
>
> The Debian Security manual is useless. It only give examples of a few
> iptables rules, says that's not enough, and speaks not at all (that I've
> found yet) about how to implement the damn things.
>
> Someone somewhere speaks to issue of the actual plumbing to implement
> iptables. Can anyone point me?
<snip>
you can read /etc/init.d/iptables comments for info.
here is the short version:
#clear out rules
iptables -F
#run script to load iptables rules into memory
sh iptables.sh
# make required directory?
mkdir /var/lib/iptables
#save active rule set
/etc/init.d/iptables save active
#flush rules -- inactive rule set
iptables -F
#save inactive rules set
/etc/init.d/iptables save inactive
# enjoy rules on next reboot or /etc/init.d/iptables start
-Kev
Reply to: